Security Incidents mailing list archives
Re: What's this a probe for?
From: coldfire () SHADY ORG (Cold Fire)
Date: Fri, 18 Feb 2000 20:35:03 +0000
On Thu, Feb 17, 2000 at 05:10:51PM -0800, Robert Graham wrote:
I don't think so, but I think it is related. The DDoS floods came from Sun servers that were compromised by RPC services like cmsd, toolktalk, statd, etc. These services usually run on dynamically assigned port numbers, and you discover which by sending a request to the portmapper service at port 111. However, Sun machine start allocating their dynamic port assignments at around 32771. A probe for 32773 means that the hacker is hoping that you (or others in your address range have a sun workstation, and that the exploit he/she is scanning for runs at port 32773. On my machine, cachefsd is running at that port. I am not aware of any attacks against that service. My guess is that on the hacker's machine, cmsd is running at that port, and he/she is scanning the Internet for similarly configured machines.
As rpcports are dynamically asigned the chances of the same service running on the same port on several machines is pretty slim (although there are a few exdeptions, notably nfsd). The only reason to try and connect directly to these ports would be if the target was blocking port 111. As the attack seems to have been directed at a single port a scan for rpc services is unlikely. However early versions of Solaris (2.5.1 and earlier) ran an undocumented UDP portmapper service on ports higher than 32770 (port dependant on OS release and architecture). and it is probably this that the attacker is scanning for to avoid filtering of port 111. later Steve -- 'Cold Fire, Britains most notorious hacker' Observer, July 1997 'The most recent conviton was that of [Cold Fire] whose On-line escapades spanned from hacking into educational sites to more sinister activities such as tapping into industrial and United States military sites.' DC Paul Cox, SO6 Scotland Yard CCU
Current thread:
- What's this a probe for? Brett Glass (Feb 16)
- Re: What's this a probe for? Robert Graham (Feb 17)
- Incident Management Wozz (Feb 17)
- Re: Incident Management Andrew Steingruebl (Feb 21)
- Re: Incident Management Martin A. Brown (Feb 21)
- Re: Incident Management Jose Nazario (Feb 21)
- Re: Incident Management Security (Feb 21)
- Port 8 Edwin Covert (Feb 22)
- Re: Incident Management Wozz (Feb 21)
- Incident Management Wozz (Feb 17)
- Re: What's this a probe for? Cold Fire (Feb 18)
- Re: What's this a probe for? Robert Graham (Feb 17)
- Re: What's this a probe for? Jens Hektor (Feb 17)